Art and design






Life and style








US news

World news

Your iPhone's password demands aren't just annoying. They're a security flaw

Apple’s constant request for your password could make it easy miscreants to steal it via phising, a developer has warned.
Apple’s constant request for your password could make it easy for rogue developers to steal it via phising. Photograph: Samuel Gibbs for the Guardian

The iPhone’s habit of repeatedly requesting your Apple ID password with little explanation or warning isn’t just annoying – it’s also a security flaw which could allow attackers to craft extremely convincing phishing attacks, an iOS developer has warned.

Regular users of iPhones or iPads will be used to sporadic requests from the operating system to enter their Apple ID password, popping up in the middle of other activities and preventing them from continuing until they accede to the request.

It can be frustrating, particularly if the password is long and complex, and it can often be hard to work out why, precisely, the device needs your credentials. But according to developer Felix Krause, the incessant requests are more than just an irritation.

“Users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, eg when they want to access iCloud, GameCenter or in-app purchases,” Krause said.

“This could easily be abused by any app, just by showing [an alert] that looks exactly like the system dialogue. Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.”

Apple’s standard alerts look identical to those that normal developers can present, Krause noted, which means a well-crafted phishing pop-up could present absolutely no visual warnings that something “phishy” was afoot.

Apple declined to comment.

As currently constituted, there is only one way a user can be certain that the request for a password comes from Apple and not a rogue app, Krause said: hit the home button before entering the password. That’s because only Apple itself can respond to home button inputs. Any other app will be forced to close, and with it, the fake pop up.

There is no evidence Krause’s suggestion has been implemented in practice by any unscrupulous developer, and to use it for an effective phishing attack still has two further hurdles to overcome: the app must make it past Apple’s reviewers to get on the App Store, and the developer must convince users to install it.

Nonetheless, the problem faced by Apple is one that many other software developers have had to tackle over the years. “Security overload”, or the risk that users become so overwhelmed by security features that they actually create insecurity, is a long-running problem.

Famously, Windows Vista launched with a feature called User Account Control, which was intended to prevent rogue programs from taking over an infected computer. But in practice, it meant that the operating system interrupted the user to ask permission almost every time any program wanted to do anything. That meant users rapidly learned to simply click continue without reading the dialogue, undoing any security progress and eventually forcing Microsoft to replace the feature entirely in Windows 7.

Even before then, however, Microsoft had solved one of the problems that currently affects iOS. In its versions of Windows for business customers, it came up with an ingenious way to ensure that malware couldn’t ask for a user’s password: the real login screen on those versions of Windows can only be accessed by using a keyboard command, control-alt-Delete, that only Microsoft is able to respond to.

It’s the same idea as Felix Krause’s suggestion to hit the home button before entering passwords, except it was implemented almost 20 years ago. The more things change, the more they stay the same.

This article titled "Your iPhone's password demands aren't just annoying. They're a security flaw" was written by Alex Hern, for on Thursday 12 October 2017 11.17am


Facebook hires Eurosport chief for multibillion live push

Facebook is poised to appoint a senior broadcasting executive to lead its multibillion-dollar drive… Read more

Volkswagen Arteon preview: ‘Anything but bohemian’ | Martin Love

Price £30,280 0-62mph 5.6 seconds Top speed 155mph MPG 38.7 CO2 164g/km Following a year in which… Read more

Why Facebook's news feed changes are bad news for democracy | Emily Bell

“Homepage. Even the word sounds old. We bring the news to your social feed.” A week ago this is… Read more

Amazon's next top headquarters: US cities strut their stuff as firm seeks second home

Two hundred and thirty-eight candidates have been whittled down to 20. Getting there was “very… Read more

Millions could save £180 a year on broadband by chasing deals

Broadband providers put out their best deals at the end of the month or every three months when… Read more

How can I remove unwanted apps from Windows 10?

I am not a power user. I have a Microsoft Surface Pro 4, which has plenty of features I don’t need,… Read more

Bitcoin's fluctuations are too much for even ransomware cybercriminals

Bitcoin’s price swings are so huge that even ransomware developers are dialling back their reliance… Read more

Tide Pod challenge: YouTube clamps down on 'dangerous' detergent dare

Google has started clamping down on YouTube videos displaying the “Tide Pod challenge”, in which… Read more

Buses for Apple employees attacked with pellet guns, company suspects

At least five buses used to transport Apple employees to the company’s headquarters have had their… Read more

Apple's Tim Cook: 'I don't want my nephew on a social network'

The head of Apple, Tim Cook, believes there should be limits to the use of technology in schools… Read more